Sorry

To be as competitive as possible more organizations today are creating more agile development and operations teams who are collaborating more closely together than before – and moving more applications and more application updates than ever before as a result. Some are moving many dozens of updates and infrastructure changes a day.

This has some security managers and CISOs concerned that by pushing updates out too quickly, secure development practices and quality assurance gets pushed to the side in favor of agility and speed.

According to Gene Kim, founder of IT security firm Tripwire and DevOps author and speaker says that this highly cooperative and iterative environment doesn’t create the shoddy environment (security wise, that is) they fear: in fact it can enhance security. “We’ve witnessed this downward spiral that happens in almost every IT organization. It became typical that whenever you wanted a new release or deployment, in most enterprises, it would take days or weeks or longer to complete. It involves tons of project sign-offs and hand-offs. This includes developers, DBAs, release teams, security and compliance people, operations teams and so on. This creates delays and is itself very error prone,” Kim says.

Kim and other agile IT advocates contend that this creates fragile applications in production, builds up technical debt (including things that must be fixed in the future) and causes the business to run more slowly over time. “It led to preordained failure. Where people felt, especially downstream (operations, test, security) trapped in a system where people were powerless to change the outcomes,” Kim says.

What DevOps advocates is testing as code is being developed. “This way you don't have this upfront cost associated with this very long architecture phase before you start building. You are iterating. So it's an opportunity for the security team to participate in that. It produces tighter feedback loops both within the dev and the ops worlds. Security gets to play in that as well,” says Bill Burns, former CISO with a major online streaming and entertainment service.

“The fact is, when done well, incorporating security into DevOps is sort of the Holy Grail for a really robust secure development lifecycle. Everyone says they want to put security upfront in the design and within the architecture phases. With DevOps that becomes much more feasible,” Burns says.

An example Kim likes to share is the static code analysis application that the Twitter development team built into its Jenkins continuous integration processes. The tool, dubbed “Brakeman” runs secure code analysis of the application and its findings are fed into the homebuilt Security Automation Dashboard whenever a developer hits save on their work. After Brakeman’s quick analysis, the developer would get an email if there was a negative finding, for example, that would say something along the lines of: "Hey, you may want to know that we just detected a SQL injection vulnerability. Click here to learn how to fix it."

“The instant they fixed it and hit save they would get another e-mail from brakeman saying "Hey, thank you so much. Thank you for fixing the SQL injection vulnerability. Please rate our instructions on helpfulness 1-5 stars," Kim explains.

A survey recently conducted by automated server management software provider JumpCloud found that such security automation – including activities such as patching, user management, log analysis, and forensics – is an integral part of the DevOps movement.

That’s exactly how security should be coupled to the process, explains Burns. “You build these small feedback loops that are tightly coupled between the developers and the operation roles so you log more events. When you are security and you are part of those conversations you get to make these incremental improvements and pivot with the product or the service as they're developing it,” Burns says.

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.